Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

From: "Jimmy Brokaw" <hedgie () hedgie com>
Date: Sat, 11 Oct 2008 16:07:09 -0400 (EDT)
Chip Panarchy wrote:


The most helpful ones (apart from the ones explaining how the protocol
works and differences between that and SFTP etc.) were the ones that
suggested I use;
Brutus or Hydra. (oh, and Metasploit)


Both Brutus and Hydra will do brute force attacks.  Keep in mind that
switching to SFTP will not prevent, or even complicate, a brute force attack,
unless you disable password logins on the SFTP server.  If he's reluctant to
drop FTP, chances are you're going to have a hard time convincing him to
create certificates and use them for logging into his server.  He's probably
more likely to just pick a longer/more complicated password that you're less
able to crack.

I stand by other posters that cracking the password doesn't demonstrate the
vulnerability of FTP nearly as well as sniffing it, simply because FTP's
biggest and most frequently exploited vulnerability is that it transmits
everything, including passwords, in the clear.

-- 
   \\\\\                       hedgie () hedgie com
  \\\\\\\__o   Bringing hedgehogs to the common folk since 1994.
__\\\\\\\'/________________________________________________________
                              http://www.hedgie.com


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: